Defense contractors across the U.S. are moving to update their cybersecurity programs to meet or exceed Cybersecurity Maturity Model Certification (CMMC) requirements launched in 2020 by the Department of Defense (DoD) to provide greater protection of Controlled Unclassified Information (CUI). The effort required for CMMC Level 3 Certification will be significant for many of the small to midsized firms who have limited information technology and cybersecurity personnel and resources.
The first reaction for many of these organizations will be to engage a third-party service provider for a CMMC readiness assessment. Spending money on 3rd-party readiness assessments that will tell you what you already know might not be the best first move to make. Instead, you should perform some internal activities to better prepare the organization before seeking outside assistance. The following presents a four-step approach to get started down the road to CCMC Level 3 certification.
The first thing you will want to do is obtain a clear and complete understanding of CMMC and the certification process. This understanding will not only help to craft a logical approach to certification, but it will also equip you with the information necessary to effectively communicate with executive leadership and your team. Download copies of the CMMC documents found at Cybersecurity Maturity Model Certification (CMMC) (osd.mil).
- CMMC Model v1.02, March 18, 2020 – presents the CMMC model and each of its elements
- CMMC Model v1.02 Appendices
- Appendix A – CMMC Model presented in a matrix form
- Appendix B – Process and Practices of the CMMC Model
- Appendix C – CMMC Glossary of Terms
- Appendix D – CMMC Abbreviations and Acronyms
- Appendix E – Mapping CMMC to Other Frameworks
- Appendix F – References
- CMMC Level 1 Assessment Guide – Assessment guidance for CMMC Level 1 and the protection of Federal Contract Information (FCI)
- CMMC Level 3 Assessment Guide – Assessment guidance for CMMC Level 2 and Level 3 and the protection of Controlled Unclassified Information (CUI).
- CMMC Glossary
CMMC Level 3 Assessment Guide and CMMC Model v1.02 Appendices: Appendix B are very helpful as they discuss each process and practice in the CMMC model and include high-level examples that provide implementation clarity.
Identify and inventory CUI
CUI is defined by the National Archives and Record Administration (NARA) as: “Information that requires safeguarding or dissemination controls pursuant to and consistent with laws, regulations, and government-wide policies, excluding information that is classified under Executive Order 13526, Classified National Security Information, December 29, 2009, or any predecessor or successor order or Atomic Energy Act of 1954, as amended.”
NARA has a website dedicated to CUI (Controlled Unclassified Information (CUI) | National Archives) where you can find the various categories of CUI. Work directly with your legal counsel and your DoD business partner(s), leveraging the NARA classifications and descriptions, to reach a consensus on what data elements within your enterprise will be classified as CUI. Ensure that the classification discussions held and any decisions that are made are documented for posterity. Do not forget to include CUI data elements that are anticipated to be present under any new agreements.
Create a formal inventory of CUI data elements found within the enterprise. Map the elements to the system or systems involved in their creation, processing, receipt, transmission, and/or storage. Individuals that have significant standing within the organization, typically on the business side, should be assigned as Owners and given the responsibility for overseeing the appropriate use and handling of the CUI-associated systems and data throughout their useful lifecycles. An asset management system is recommended for this activity, but Microsoft Excel should be adequate for capturing and maintaining the CUI inventory for small to midsize organizations.
Scope your CUI environment
Use the CUI inventory to identify the boundaries of the CUI environment. This includes creating physical and logical data flow diagrams of CUI within a system and between multiple systems. Do not forget to include any external systems or services that may be involved and any associated network transport services. Scoping is critical to the success of the CMMC certification as it identifies the resources (hardware, software, network, accounts, procedures, etc.) that will be examined by the Certified 3rd Party Assessment Organization (C3PAO). An incomplete or inaccurate scope can result in a certification failure.
During the scoping activity, look for opportunities to reduce the CUI footprint through things like file consolidation, database consolidation, and network segmentation. Reducing the CUI footprint can improve your ability to protect it and may reduce administrative and technical costs.
CMMC requires an entity to formally document and maintain three processes to achieve Level 3 certification. These processes apply across all 17 CMMC domains and are:
- ML.2.999 CMMC Policy Statements
- ML.2.998 CMMC Practices
- ML.3.997 Resource Plan.
Create a high-level policy statement for each of the 17 CMMC domains. You can elect to create 17 separate documents or combine the policy statements into a single comprehensive document. The recommended Policy Statement format is as follows:
1. Purpose – brief description of the document’s intent
Example: This policy establishes the requirements for managing access to Acme information technology (IT) systems and information assets in a secure and auditable manner
2. Scope – who is subject to this policy statement
Example: This policy applies to all Acme employees, contractors, and vendors that manage and administer Acme systems and networks and to those responsible for establishing and implementing access control mechanisms within the IT enterprise
3. Key Roles – assign key roles associated with the policy including who is responsible for defining policy requirement, executing the policy, enforcing the policy, and developing and maintaining process and procedure documentation.
4. Policy Statement – the high-level statement that defines how the entity implements the domain and associated practices.
Example: Access to Acme organizational systems and information assets must be commensurate with predefined access requirements. The access requirements must balance the organization’s business or mission needs with the security controls necessary to protect Acme assets from unauthorized access and misuse. Processes and mechanisms will be implemented that provide for the control, administration, and tracking of access to Acme systems and information and to protect these assets from unauthorized access, tampering, and destruction.
5. Authorization – executive signature authorizing the policy statement
Create a detailed narrative for each of the 130 practices required to implement the domain policies. The narrative should express to the reader how the organization utilizes personnel resources, processes and procedures, and tools and technology to implement, administer, monitor, and report on the given practice.
During CMMC certification, the C3PAO is required to collect two forms of Objective Evidence to validate a practice and may only collect this evidence from an individual that is “actively performing the process or practice being evaluated”. Therefore, when crafting your narratives, identify at least one individual who is actively involved in the practice and designate them as the Subject Matter Expert (SME) that will interact with the C3PAO. In addition, catalog any artifacts (e.g., dashboards, management reports, operational procedures, service requests, change records, workstation screenshots, etc.) that serve as Objective Evidence for what you have written.
Create a resource plan that details how the delivery of Domain policies and security practices be supported. The Plan should speak to the strategic level objectives of the organization’s cybersecurity program including a mission statement, cybersecurity goals and objectives, cybersecurity requirements and obligations (e.g., statutory, regulatory, contractual), and responsibilities of key stakeholders. The Plan must also specify the various resources being allocated to the delivery of each Domain policy. The resource allocation should address funding for staffing, processes and procedures, tools and technology, and 3rd-party managed services.
After completing the four steps presented here, your organization will be in position to initiate a cost-effective independent 3rd-party readiness assessment that will add true value to your CMMC Level 3 certification efforts.